csrf

i'm using the vokuro as an example for creating a login form + action but the login failed at csrf validation.
but if i use vokuro it's not a problem. i suspect it's something to do with the getSessionToken() and getToken() function because they return different result where it's should be the same.

When I've tried to use template inheritance, I'm too experienced CSRF validation problems for some reason, anyway I haven't had time to dig in that issue, so just refused to use template inheritance.
I think that the problem covers in the internal process of inheriting, something like that: token in view is generated for the base template, while token in form validation is generated for the child template, and because of that they are different and validation fails. Anyway that's just a sleepy thoughts, don't get it serious.

is that when you execute $this->security->getToken() a NEW value is generated and saved in the session, so the $this->security->getSessionToken() will return the new one and not the one generated on the previous page, where you submitted the form.

On the other hand the
html{{ form.render('csrf', ['value': security.getToken()]) }} works because the template's code is run after the form's code so no new value is generated. But works only when you use this method once/page.